Not sure this reference will help but might give you a push in the right direction: https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html
The blog post is focused on setting up NiFi/Knox correctly. The blog post doesn't use KnoxSSO for the authentication but should be possible to replace the LDAP stuff with KnoxSSO. I don't think you need Shiro and SSOCookieProvider. manager.xml has an example of just KnoxSSO without needing the Shiro provider. Kevin Risden On Thu, Apr 4, 2019 at 12:20 PM Thibault VERBEQUE < thibault.verbe...@omnilog.fr> wrote: > Hi all, > > I’m struggling to configure correctly Knox in order to publish a Nifi > cluster. > Currently I’m using the following topologie : > > <topology> > > <gateway> > > <provider> > > <role>authentication</role> > > <name>ShiroProvider</name> > > <enabled>true</enabled> > > <param> > > <name>sessionTimeout</name> > > <value>1800</value> > > </param> > > LDAP_CFG_REDACTED > > <param> > > <name>redirectToUrl</name> > > > <value>/gateway/discovery-preprod/knoxauth/login.html</value> > > </param> > > <param> > > <name>restrictedCookies</name> > > <value>rememberme,WWW-Authenticate</value> > > </param> > > <param> > > <name>urls./**</name> > > <value>authcBasic</value> > > </param> > > </provider> > > <provider> > > <role>federation</role> > > <name>SSOCookieProvider</name> > > <enabled>true</enabled> > > <param> > > <name>sso.authentication.provider.url</name> > > <value> > https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso</value > > > > </param> > > </provider> > > <provider> > > <role>webappsec</role> > > <name>WebAppSec</name> > > <enabled>true</enabled> > > <param> > > <name>csrf.enabled</name> > > <value>false</value> > > </param> > > <param> > > <name>csrf.customHeader</name> > > <value>X-XSRF-Header</value> > > </param> > > <param> > > <name>csrf.methodsToIgnore</name> > > <value>GET,OPTIONS,HEAD</value> > > </param> > > <param> > > <name>xframe.options.enabled</name> > > <value>true</value> > > </param> > > <param> > > <name>xss.protection.enabled</name> > > <value>false</value> > > </param> > > <param> > > <name>strict.transport.enabled</name> > > <value>false</value> > > </param> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>true</enabled> > > </provider> > > <provider> > > <role>hostmap</role> > > <name>static</name> > > <enabled>true</enabled> > > <param> > > <name>host1.dom2.tld2</name> > > <value>host1.sub.dom.tld</value> > > </param> > > </provider> > > <provider> > > <role>authorization</role> > > <name>XASecurePDPKnox</name> > > <enabled>true</enabled> > > </provider> > > </gateway> > > <service> > > <role>KNOXSSO</role> > > <param> > > <name>knoxsso.cookie.secure.only</name> > > <value>false</value> > > </param> > > <param> > > <name>knoxsso.enable.session</name> > > <value>true</value> > > </param> > > <param> > > <name>knoxsso.token.ttl</name> > > <value>360000</value> > > </param> > > <param> > > <name>knoxsso.redirect.whitelist.regex</name> > > > <value>^/.*$;^https?://(.+\.sub\.dom\.tld|.+\.dom2\.tld2)(:[0-9]+)(/|/.*)?$</value> > > </param> > > </service> > > <service> > > <role>NIFI</role> > > <url>https://host1.dom2.tld:9091</url> > > <url>https://host2.dom2.tld:9091</url> > > <url>https://host3.dom2.tld:9091</url> > > <param> > > <name>useTwoWaySsl</name> > > <value>true</value> > > </param> > > </service> > > <application> > > <name>knoxauth</name> > > </application> > > </topology> > > > > Relevant certs are already created and imported (user cert, key and nifi CA > certificate) in gateway.jks. I set up proxy host, path and knox params in > nifi.properties and disabled other users sources (empty > nifi.security.user.login.identity.provider). > > I can successfully authenticate in Nifi with generated certs, so Ranger > policy seems correct. > I observed the following behavior when I enter > https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/nifi : > > - Without modification to service.xml: > - Knox redirects the user to > > https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html > (no request forwarding to the backend) > - If I manually add ?OriginalUrl= > > https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback > . Knox redirects me again to > > https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html > after the login attempt > - If I add <policy role=”authentication” name=”Anonymous” /> in > service.xml: Knox forwards the request to Nifi which finally redirects my > browser under > > https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback > then Nifi redirects back my browser via Knox to the same URL when I > authenticate because in subsequent calls Knox resolve the user to anonymous > (?doAs=anonymous). > > > > I have seen this policy defined for others services like ambari, Yarnuiv2 > when they use tokens provided by knox. > > > > Knox is version 1.0 and Nifi 1.9. > > > > Regards > > >
